Assurance

[Lisa Campeau <>]

Our plans for address of record include everything currently allowed in the 
incommon world.  Postal, email and phone.  

-----Original Message-----
From: 

 
[mailto:]
 On Behalf Of Jones, Mark B
Sent: Monday, November 12, 2012 3:46 PM
To: 

Subject: RE: [Assurance] last question

What do you use for address of record?

What you describe sounds similar to one of the plans we have discussed.

-----Original Message-----
From: 

 
[mailto:]
 On Behalf Of David Langenberg
Sent: Monday, November 12, 2012 2:29 PM
To: 

Subject: Re: [Assurance] last question

Over here, what would happen in that case is each account would be locked.  
Then upon the faculty member contacting IT Security, Support, or our 
Identification and Privileges office and receiving any required education (ie 
don't reply to phishing email) the authorized support person will initiate a 
process which will send a one-time-use-password to the faculty member's 
address(es) of record which will enable them to reset their password.  If IT 
Security believed that the addresses of record were also compromised, then 
faculty member would be required to follow the in-person proofing steps again.

Dave

On Mon, Nov 12, 2012 at 1:10 PM, Lisa Campeau 
<>
 wrote:
> So, how does this work out for you in actual practice in a university 
> setting?
>
> For instance, a compromise of several dozen faculty members.  Do you send 
> out a team to re-silver-credential?  What about a bigger compromise, say 
> several hundred?
>
> -----Original Message-----
> From: 
> 
> [mailto:]
>  On Behalf Of Jones, Mark B
> Sent: Monday, November 12, 2012 2:28 PM
> To: 
> 
> Subject: RE: [Assurance] last question
>
> My opinion is that a 'reset' password should be issued with the same 
> procedure as the 'initial' password.  This may be the same point Tom was 
> making.
>
> If a password needs to be reset, what you are saying is that the person 
> that owns the account is no longer in control of the account.  This is the 
> same state as when the account was new and the owner did not yet know the 
> password.
>
> -----Original Message-----
> From: 
> 
> [mailto:]
>  On Behalf Of Tom Scavo
> Sent: Monday, November 12, 2012 1:21 PM
> To: 
> 
> Subject: Re: [Assurance] last question
>
>
>
>> If a Silver credential is compromised, can or should it be reset 
>> using the compromised credential
>
> If a credential is compromised, it needs to be revoked ASAP, that is, it 
> should no longer be recognized as a valid authenticator.
>
>> and/ or by answering security questions?
>
> I don't believe the IAP gives guidance in the area of password reset (which 
> is what I think you're asking about) so let me give my opinion FWIW. A 
> password is only as strong as the password reset mechanism that goes along 
> with it. Recent events on the open Internet have clearly demonstrated that 
> the Bad Guy, when confronted with a strong authenticator, turns his/her 
> attention to the password reset process using social engineering tactics.
>
> Tom



--
David Langenberg
Identity & Access Management
The University of Chicago